Passive FTP using FTP profile
Hi Community, I have an F5 Big-IP 16.0.1.1 running on AWS with a FTP server behind running vsftpd. The idea is balance passive ftp publically. So, clients should hit public IP of the F5 for passive ftp. This scenario is running perfectly without an FTP profile, just a tcp profile (all ports) and the option pasv_address on the ftp server pointing to the public IP address of the F5. But I need to have this working with the FTP profile in order to implement extra security for FTP on the F5. I've tried to implement FTP passive load balancing using official documentations like (https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-local-traffic-manager-implementations/load-balancing-passive-mode-ftp-traffic.html ) , but no matter what combination or configuration is implemented on the F5 & the ftp server, if I have the ftp profile the message ("passive mode refused") is always received after request PASV and only works if I use this for internal passive ftp, meaning that I not configure a "pasv_address" on the ftp server, and the client that request the connection is in the same Lan than the F5 & ftp server, resolving everything internally. As a said, i've tried a lot of combinations and settings on the F5 and ftp servers, but nothing works. Could someone give me a little of guidance here? Thanks in advance.
Config NGINX to F5
Hi everyone, I have VS. NGINX require script to implement at F5 profile but i dont know where I must config at F5 configuration. Here the NGINX requirement : client_max_body_size 5000M; client_body_buffer_size 5000M; client_body_timeout 4024; client_header_timeout 3024; Where I must config that NGINX requirement to the VS in F5 ??? Using profile or irules ?? How to set up ? Thanks
F5 Not Functioning With Pulse Secure
Hi All, We have a new set-up of an F5 with two VIPS - one performance layer 4 for https (SSL authentication to the pulse secure appliance), ad another standard VIP on UDP/4500 (for IPSec data traffic). Both Profiles have a source affinity persistence profile mapped to them which has option "Match Across Virtual Server" checked. This is to allow Both VIPS to act as one for Data Traffic. The F5 has also two Gateways configured as self IP's and their respective floating IP's - this is so the pulse uses the F5 as its gateway for internal and external traffic. The routing on the F5 points internal traffic to a default route to a switch in the DMZ which knows the route to the data center - and was being used to route traffic in the old set-up too. What we found with the new set-up was that traffic going to the external port worked fine, but traffic to the internal port on the pulse (routed via the F5 internal gateway) was not working at all. This interface should use its own IP address and initiate a request to Authentication servers, but did look like it was - resulting in users not being able to log into their pule clients (as authentication was failing). In the old set-up the gateways were on two separate switches, and this worked even after we reverted back - we saw users able to connect and log into pulse - where as in the new set-up they couldn't go past the prompt. We believe the issue is only with internal traffic, as external traffic looks fine. We also believe it could be the F5 potentially stopping the traffic from passing but not sure why. Could the profile be changing something in the packet header? Could both VIPs also need to be standard VIPS for this to work ? Has anyone come across an issue like this before ? Best Regards, SabeelHow to attach TCP profile for server/client individually via REST API?
Hi, I was trying to attach the TCP profile to virtual server by REST API. But now what I only can do is to specify the context to "all", then call PATCH on /tm/ltm/virtual/VIRTUALNAME. The content is: {"ipProtocol":"tcp","profilesReference":{"items":[{"kind":null,"name":"VIRTUALNAME","partition":null,"fullPath":null,"generation":0,"selfLink":null,"context":"all"}]}} "Context = all" means I am setting both of the client and server side at the same time. But I would like to set them separately to two different profiles, then I tried context = clientside or context = serverside. Then an error like "Less than the required minimum number of profiles found on VIRTUALNAME: Exactly 1 of (UDP Profile (serverside), TCP Profile (serverside), SCTP Profile (serverside))" was returned. Looks like when only setting clientside/serverside profile, F5 will delete both profiles for clientside and serverside firstly, then update the user's profile. But at that time, the profile is only for server or client, the other part of the profile has been deleted in the previous step, which led to this error. Could anyone help figure out if I am doing in the incorrect way? Or if this might be a bug of setting TCP profiles? Heap thanks.Persistence Profile Issues
I am having an interesting issue with a persistence profile. It works wonderful in QA but is not working in production. I've created a persistence profile with the following attributes: Parent Profile Universal Mirror Persistence Enabled iRule Enabled and pointed Timeout Enabled and set to 28800 seconds The iRule: when HTTP_RESPONSE { if { [HTTP::cookie exists "ASP.NET_SessionId"] } { persist add uie [HTTP::cookie "ASP.NET_SessionId"] pool po-server-https } } when HTTP_REQUEST { if { [HTTP::cookie exists "ASP.NET_SessionId"] } { persist uie [HTTP::cookie "ASP.NET_SessionId"] pool po-server-https } } In the virtual server instance I then set Default Persistence Profile to this new created profile. This all works wonderfully in QA and the client is persisted to one server based on their cookie value for ASP.NET. The pool names are correct, the cookie exists in both environments etc. but in production, the persistence is not taking place and the client is jumping between servers in the pool. Does anyone have ideas on this one or a path forward to troubleshoot this via clean logging that doesn't inundate the server?
Disable ECDHE Cipher Suite for Server Side SSL Profile
Hi, We have deployed Imperva WAF in transparent bridge mode between our F5 load balancers and Web Servers. In order to perform SSL Decryption, we need to disable certain Cipher Suites including ECHDE and EDH. I have configured the following below but am still getting warnings on the WAF that cipher ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA** cannot be decrypted. Current SSL Server Profile: ** DEFAULT:!SSLv3:!ECDHE:!EDH ** What else is missing in order to disable cipher ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ** ? Thanks for your help!Exporting a DDoS Profile
Hi, I have a DDoS profile in my Test environment which I want to export so I can import it into our Production Environment. Is this possible? Recreating the DDoS profile in production is simple enough however we have a third party manage our Production Systems so it would be easier to have them import my policy. Thank you in advance as always. Regards
